Can't get events with open extension in Microsoft Graph API - azure-active-directory

I created an event through a shared mailbox in Graph API.
https://graph.microsoft.com/v1.0/users/{shared-user-id}/calendars/{shared-calendar-id}/events
{
"subject": "New Event Test",
"body": {
"contentType": "HTML",
"content": "Mail FLow Test"
},
"start": {
"dateTime": "2021-01-29T12:00:00",
"timeZone": "Eastern Standard Time"
},
"end": {
"dateTime": "2021-01-30T14:00:00",
"timeZone": "Eastern Standard Time"
},
"attendees": [
{
"emailAddress": {
"address":"calendar#contoso.com",
"name": "Calendar Organizer"
},
"type": "required"
}
]
}
This creates an event successfully, and after that, I patched this event with extended data using open extension.
https://graph.microsoft.com/v1.0/users/{user-id}/calendars/{calendar-id}/events/{just-created-event-id}
{
"extensions": [
{
"#odata.type": "microsoft.graph.openTypeExtension",
"extensionName": "Com.Contoso.Events",
"courseId": 22,
"materialId": 75,
"courseType": "video"
}
]
}
This seems not to work. This responses Access is denied.
https://graph.microsoft.com/v1.0/users/{shared-user-id}/calendars/{shared-calendar-id}/events?$expand=extensions($filter=id eq 'Microsoft.OutlookServices.OpenTypeExtension.Com.Contoso.Events')
It responses ErrorAccessDenided with error message "Access is denied. Check credentials and try again".
But if I try this without expanding extensions, then it works.
I couldn't even to create an event because it responded with the same error and message "Access is denied. Check credentials and try again", so I added an API permission MailboxSettings.ReadWrite in my Azure AD that made work an event creation through the shared mailbox.
What is the reason why I can create or get events but not add or expand extensions?

Move my comment here so that this issue is treated as answered.
The method you are using is incorrect. Please refer to this sample to create the open extension.
But based on my test, we cannot use an admin (or a delegated user or a shared mailbox member) to create the extension for the shared mailbox (Even if I have added Calendars.Readwrite.Shared permission). It will give 403 error as you have encountered.
When I sign in with the shared mailbox user, it can create the open extension for itself.
So the conclusion is: when we use delegated permissions (user token), we can only create an open extension for the currently logged in user himself.

Related

PATCH request with operator "Remove" not getting sent when removing a member from a group

I am looking into Azure AD SCIM Provisioning and I have a question I am hoping I could get some help on. My use case is as follows
I created a Group in Azure AD and added "John Smith" and "Jane Smith" as members to it.
I went over to my Non-Gallery application added the Group created above to my application and triggered an On-Demand provisioning.
Both "John Smith" and "Jane Smith" were successfully created in my local database.
I removed "John Smith" from my group and triggered an On-Demand provisioning again.
My expectation was that the following PATCH request would be sent by Azure Ad
"Operations": [
{
"op": "Remove",
"path": "members",
"value": "john-smith-id"
}
]
but instead Azure AD sends a PATCH request to /Users with the following body
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Add",
"path": "displayName",
"value": "John Smith"
}
]
and another PATCH request to /Groups with the following body
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Add",
"path": "externalId",
"value": "some-guid"
}
]
Is this correct? I feel like I am messing something up when removing the member from the Group which isn't triggering the desired PATCH request
After step #4, I would recommend checking if the user has successfully been removed from the group.
Also, make sure that you're using the right rule ID in the on-demand provisioning request. One easy way to do this is to try through the UI and look at the network traffic ctrl+shift+i
The rule ID can be found in the schema.

Problem with StatusReport trait in Smart Home Actions

I have a Security System with traits action.devices.traits.ArmDisarm and action.devices.traits.StatusReport and some other sensors: WaterLeak Sensor, Door Sensor ...
I report some errors about other devices with StatusReport state.
For example: when the door sensor detects that the door is open, the security system must give deviceOpen error.
When I say, "Is my security system ok?", my server's response to the query intent is the JSON below, but Google Assistant says that he couldn't reach my action (Unexpected error happened).
Is there anything wrong with this response?
{
"requestId": "10417064006786362499",
"payload": {
"devices": {
"3rL3QL7Kq2HrQjs53Y7o": {
"isArmed": true,
"currentStatusReport": [
{
"blocking": true,
"deviceTarget": "4BCIpzBWpgLA24mMI7r2",
"priority": 0,
"statusCode": "deviceOpen"
},
{
"blocking": true,
"deviceTarget": "MxRCd6ERRSWzYzyNTE8S",
"priority": 0,
"statusCode": "waterLeakDetected"
}
],
"status": "EXCEPTIONS",
"online": true
}
}
}
}
In Firebase Console there are no errors.
Logs in Firebase Console
Your response to the query intent looks right, but there might be an error in other parts of the process. You can follow the Troubleshooting Guide to see how your failed intent is counted in the Smart Home metrics and what are the details on your logs. (Firebase logs only gives info about your server. The logging mentioned in the guide (Google Cloud Logging) is a different and more comprehensive for the intent handling)

GraphAPI Schema Extensions don't appear for Messages

I would like to add some custom data to emails and to be able to filter them by using GraphAPI.
So far, I was able to create a Schema Extension and it gets returned successfully when I query https://graph.microsoft.com/v1.0/schemaExtensions/ourdomain_EmailCustomFields:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#schemaExtensions/$entity",
"id": "ourdomain_EmailCustomFields",
"description": "Custom data for emails",
"targetTypes": [
"Message"
],
"status": "InDevelopment",
"owner": "hiding",
"properties": [
{
"name": "MailID",
"type": "String"
},
{
"name": "ProcessedAt",
"type": "DateTime"
}
]
}
Then I patched a specific message https://graph.microsoft.com/v1.0/me/mailFolders/Inbox/Messages/hidingmessageid:
PATCH Request
{"ourdomain_EmailCustomFields":{"MailID":"12","ProcessedAt":"2020-05-27T16:21:19.0204032-07:00"}}
The problem is that when I select the message, the added custom data doesn't appear by executing a GET request: https://graph.microsoft.com/v1.0/me/mailFolders/Inbox/Messages?$top=1&$select=id,subject,ourdomain_EmailCustomFields
Also, the following GET request gives me an error.
Request: https://graph.microsoft.com/v1.0/me/mailFolders/Inbox/Messages?$filter=ourdomain_EmailCustomFields/MailID eq '12'
Response:
{
"error": {
"code": "RequestBroker--ParseUri",
"message": "Could not find a property named 'e2_someguid_ourdomain_EmailCustomFields' on type 'Microsoft.OutlookServices.Message'.",
"innerError": {
"request-id": "someguid",
"date": "2020-05-29T01:04:53"
}
}
}
Do you have any ideas on how to resolve the issues?
Thank you!
I took your schema extension and copied and pasted it into my tenant, except with a random app registration I created as owner. then patched an email with your statement, and it does work correctly.
A couple of things here,
I would verify using microsoft graph explorer that everything is correct. eg, log into graph explorer with an admin account https://developer.microsoft.com/en-us/graph/graph-explorer#
first make sure the schema extensions exists
run a get request for
https://graph.microsoft.com/v1.0/schemaExtensions/DOMAIN_EmailCustomFields
It should return the schemaextension you created.
then
Run a get request for the actual message you patched not all messages that you filtered for now.
https://graph.microsoft.com/v1.0/me/mailFolders/Inbox/Messages/MESSAGEID?$select=DOMAIN_EmailCustomFields
here the response should be the email you patched and your EmailCustomField should be in the data somewhere, if it is not, that means that your patch did not work.
then you can run patch again from graph explorer
I did all this from graph explorer, easiest way to confirm.
two other things,
1) maybe the ?$top=1 in your get first message isn't the same message that you patched?
2) as per the documentation, you cannot use $filter for schema extensions with the message entity. (https://learn.microsoft.com/en-us/graph/known-issues#filtering-on-schema-extension-properties-not-supported-on-all-entity-types) So that second Get will never work.
Hopefully this helps you troubleshoot.

AAD group delta query does not return members#delta anymore?

I have a client application leveraging Microsoft Graph to get incremental changes for a certain AAD Group.
My BVT caught an issue and when I debugged, I found the Graph request does not return the members#delta collection any longer so the app did not receive any Group Membership changes.
Request:
https://graph.microsoft.com/v1.0/groups/delta?$expand=members&$select=id,displayName,mailNickName,onPremisesSecurityIdentifier,groupTypes,securityEnabled&$filter=id eq '9f63ad39-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx'
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(id,displayName,mailNickname,onPremisesSecurityIdentifier,groupTypes,securityEnabled,members())",​
"#odata.nextLink": "https://graph.microsoft.com/v1.0/groups/delta?$skiptoken=duo2tEVrL.............................-Ay-zlyuo2tEVrLOUh0PUTdXM",​
"value": [​
{​
"displayName": "TestGroup-OneUser",​
"mailNickname": "9a234b7e8ad-3",​
"securityEnabled": true,​
"id": "9f63ad39-xxxx-xxxx-xxxx-xxxxxxxxxx",​
"members#delta": [​
{​
"#odata.type": "#microsoft.graph.user",​
"id": "18e2a00c-xxxx-xxxx-a9a9-xxxxxxxxxxxxx"​
}​
]​
}​
]​
}
Any idea what has changed?
You should add members to $select, change the request like this:
https://graph.microsoft.com/v1.0/groups/delta?$select=id,displayName,members&$filter=id eq '1068699c-044b-4846-b45a-4137e06a7ca2'

Intune policies through JSON (oData) template

I am trying to create a JSON template to create the Intune (based on Office 365) policies through Graph api. I am able to create policies for some of the URIs like terms and conditions but others. I tried creating for odata
microsoft.graph.iosEasEmailProfileConfiguration
it failed giving error 400.
i would like to know if it is working for anyone and how
If you get 400 errors in MS Graph API you can crete a case with Azure support.
I haven't tried the one you mention. But I have figured out a couple of them, after banging my head in the wall for some weeks with the poor Microsoft Graph API documentation.
Compliance policies:
POST https://graph.microsoft.com/v1.0/deviceManagement/deviceCompliancePolicies
{
"#odata.type": "microsoft.graph.androidCompliancePolicy",
"displayName": "Android",
"passwordRequired": true,
"passwordMinimumLength": 4,
"passwordRequiredType": "numericComplex",
"passwordMinutesOfInactivityBeforeLock": 15,
"storageRequireEncryption": true,
"scheduledActionsForRule":[{"ruleName":"Mark device noncompliaant","scheduledActionConfigurations":[{"actionType":"block","gracePeriodHours":72,"notificationTemplateId":""}]}]
}
Device Configuration policies:
POST https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations
{
"#odata.type": "#microsoft.graph.androidGeneralDeviceConfiguration",
"description": "",
"displayName": "Device restriction - Android",
"passwordBlockFingerprintUnlock": false,
"passwordBlockTrustAgents": false,
"passwordExpirationDays": null,
"passwordMinimumLength": 4,
"passwordMinutesOfInactivityBeforeScreenTimeout": 15,
"passwordPreviousPasswordBlockCount": null,
"passwordSignInFailureCountBeforeFactoryReset": 11,
"passwordRequiredType": "numericComplex",
"passwordRequired": true,
"storageRequireDeviceEncryption": true
}
I have also figured out branding, groups, setting MDM authority, setting update ring and adding windows hello settings.
But I cannot figure out how to assign compliance policies to groups.
The examples in the MS Graph API documentation just throws an error.
I also cannot find where in Graph API i can do condidtional access in Intune and how I control device settings in Azure AD.
You can do a POST to deviceManagement/deviceConfigurations with following sample payload:
{
"id": "00000000-0000-0000-0000-000000000000",
"displayName": "profile name",
"description": "profile description",
"scopeTags": [],
"#odata.type": "#microsoft.graph.iosEasEmailProfileConfiguration",
"blockMovingMessagesToOtherEmailAccounts": false,
"blockSendingEmailFromThirdPartyApps": false,
"blockSyncingRecentlyUsedEmailAddresses": false,
"durationOfEmailToSync": "userDefined",
"requireSmime": false,
"requireSsl": true,
"hostName": "outlook.microsoft.com",
"accountName": "Account name",
"usernameSource": "userPrincipalName",
"emailAddressSource": "userPrincipalName",
"authenticationMethod": "usernameAndPassword"
}

Resources